From b9e9fa985fccf20b3203928eb5910b8ac6cf30e7 Mon Sep 17 00:00:00 2001
From: Katharina Drexel <katharina.drexel@bfh.ch>
Date: Fri, 9 Apr 2021 17:26:19 +0200
Subject: Adding archive key verification.

---
 share/scripts/debconf | 43 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 42 insertions(+), 1 deletion(-)

(limited to 'share/scripts/debconf')

diff --git a/share/scripts/debconf b/share/scripts/debconf
index 07d9a88..4f99150 100755
--- a/share/scripts/debconf
+++ b/share/scripts/debconf
@@ -425,8 +425,49 @@ EOF
 	case "${MODE}" in
 		progress-linux)
 			PROGRESS_SOURCES="${DEBCONF_TMPDIR}/progress-linux.sources"
+			PROGRESS_SIG="${DEBCONF_TMPDIR}/progress-linux-${RELNR}-${DIST}-archive-key.pub.sig"
 			PROGRESS_KEY="${DEBCONF_TMPDIR}/progress-linux-${RELNR}-${DIST}-archive-key.pub"
-			wget -O "${PROGRESS_KEY}" "https://deb.progress-linux.org/packages/project/pgp/progress-linux-${RELNR}-${DIST}-archive-key.pub"
+			KEY_NAME=$(basename ${PROGRESS_KEY})
+
+			dpkg -l debian-keyring >/dev/null || apt install -qy debian-keyring
+
+			wget -q -O "${PROGRESS_KEY}" "https://deb.progress-linux.org/packages/project/pgp/progress-linux-${RELNR}-${DIST}-archive-key.pub"
+			wget -q -O "${PROGRESS_SIG}" "https://deb.progress-linux.org/packages/project/pgp/progress-linux-${RELNR}-${DIST}-archive-key.pub.sig"
+
+			if [ -e /usr/bin/gpgv ]
+			then
+				if [ -e /usr/share/keyrings/debian-keyring.gpg ] || [ -e /usr/share/keyrings/debian-maintainers.gpg ]
+				then
+					KEY_VALID=""
+
+					for KEYRING in /usr/share/keyrings/debian-keyring.gpg /usr/share/keyrings/debian-maintainers.gpg
+					do
+						if [ -e "${KEYRING}" ]
+						then
+							echo -n "I: Verifying archive-key ${KEY_NAME} against $(basename ${KEYRING} .gpg | sed -e 's|-keyring||') keyring..."
+							if gpgv --quiet --keyring "${KEYRING}" "${PROGRESS_SIG}" "${PROGRESS_KEY}" 2>/dev/null
+							then
+								KEY_VALID="true" && break
+							fi
+						fi
+					done
+
+					case "${KEY_VALID}" in
+						true)
+							echo " successful."
+							;;
+
+						*)
+							echo " failed."
+							return 1
+							;;
+					esac
+				else
+					echo "W: Skipping archive-key ${KEY_NAME} verification, debian-keyring not available..."
+				fi
+			else
+				echo "W: Skipping archive-key ${KEY_NAME} verification, gpgv not available..."
+			fi
 
 			for ARCHIVE in ${ARCHIVES}
 			do
-- 
cgit v1.2.3